Ubuntu
snapd package

gtk3-nocsd preloads a setuid library

Bug #1857022 reported by Maciej Borzecki
262
This bug affects 2 people
Affects Status Importance Assigned to Milestone
gtk3-nocsd (Ubuntu)
Confirmed
Undecided
Unassigned
snapd (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Problem was originally reported int he snapcraft forum regarding snap-confine failing to launch snaps on Kubuntu:
https://forum.snapcraft.io/t/on-ubuntu-18-04-3-with-5-4-5-5-kernels-snaps-are-not-launching/14662/13

The following AppArmor denial triggered by snap-confined was observed in the logs:

Dec 17 22:45:10 raffles audit[27067]: AVC apparmor=“DENIED” operation=“file_mmap” profile="/snap/core/8323/usr/lib/snapd/snap-confine" name="/usr/lib/x86_64-linux-gnu/libgtk3-nocsd.so.0" pid=27067 comm=“snap-confine” requested_mask=“m” denied_mask=“m” fsuid=0 ouid=0

Upon further investigation, the behavior was identified as correct as far as snap-confine's AppArmor profile is concerned. The problem appears to be caused by the libgtk3-nocsd0 package, which ships a setuid library:

guest@ubuntu:/var/lib/dpkg/info$ ls -la /usr/lib/x86_64-linux-gnu/libgtk3-nocsd.so.0
-rwSr--r-- 1 root root 26616 Mar 3 2018 /usr/lib/x86_64-linux-gnu/libgtk3-nocsd.so.0

and sets it up to be preloaded on non-GNOME desktops via Xsession.d hooks. Since snap-confine is a setuid binary, and the library in question is setuid as well, ld.so will attempt to load it.

The package also ships with a couple of lintian overrides:
libgtk3-nocsd0: setuid-binary usr/lib/*/libgtk3-nocsd.so.0 4644 root/root
libgtk3-nocsd0: non-standard-setuid-executable-perm usr/lib/*/libgtk3-nocsd.so.0 4644
libgtk3-nocsd0: shlib-with-bad-permissions usr/lib/*/libgtk3-nocsd.so.0 4644

Library version:

ii gtk3-nocsd 3-1ubuntu1 all Disable Gtk+ 3 client side decorations (CSD)
ii libgtk3-nocsd0:amd64 3-1ubuntu1 amd64 Library to disable Gtk+ 3 client side decorations (CSD)

Sergio Cazzolato (sergio-j-cazzolato)
Changed in snapd (Ubuntu):
status: New → Confirmed
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in gtk3-nocsd (Ubuntu):
status: New → Confirmed
Revision history for this message
Jan Pfeifer (pfjan) wrote :

This still stands out, why woudl this file have SUID set ?

It's still the case in Ubuntu 21.10.

$ stat /usr/lib/x86_64-linux-gnu/libgtk3-nocsd.so.0
  File: /usr/lib/x86_64-linux-gnu/libgtk3-nocsd.so.0
  Size: 26616 Blocks: 56 IO Block: 4096 regular file
Device: 10301h/66305d Inode: 655517 Links: 1
Access: (4644/-rwSr--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: ...
Modify: 2018-03-03 05:46:23.000000000 +0100
Change: 2021-11-25 18:53:34.252491152 +0100
 Birth: 2021-11-25 18:53:34.252491152 +0100

Revision history for this message
Jan Pfeifer (pfjan) wrote :

I suppose it has to do with allowing libgtk3-nocsd to be preloaded (LD_PRELOAD), according to:

https://blog.fpmurphy.com/2012/09/all-about-ld_preload.html#:~:text=LD_PRELOAD%20is%20an%20optional%20environmental,is%20called%20preloading%20a%20library.

My LD_PRELOAD is set by default (not sure why) with libgtk3-nocsd.so.0 -- /etc/X11/Xsession.d/51gtk3-nocsd-detect.

This feels such a security hole ... libgtk3-nocsd.so.0 can take over the machine if I ran anything with setuid.

And what's worse, because it's set without an absolute path, one may create an "evil" libgtk3-nocsd.so.0 somewhere ahead of the intended one.

Am I missing something ?

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.